Office (OLE) / .DOC malware analysis — malicious · fb738b26eb026e60

MALICIOUS

Office (OLE) / .DOC

62.5 KB Created: 2006-01-25 08:30:00 Authoring application: Microsoft Office Word

MD5: 577dc7c8388db5fe8cc4f6105f5a0bee SHA-1: 73490e5031ff1eded92ad2a7fa59a669e9848045 SHA-256: fb738b26eb026e6028f468283982632b97400245429503fb14de639e10cb1354

122 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell

The sample exhibits characteristics of a malicious document, including PEB access and API hash resolution, which are common evasion techniques. The large amount of slack space in the OLE structure further suggests obfuscation. However, no VBA macros could be extracted, and no document body text was available for analysis, limiting the ability to determine the specific attack vector or payload. The confidence is moderate due to the lack of concrete execution indicators.

Heuristics 4

PEB access via FS segment (x86) high SC_PEB_ACCESS

PEB access via FS segment (x86)
PEB API-hash resolver high SC_API_HASH_RESOLVER

PEB access followed by ROR13-style API hashing, a common position-independent shellcode import resolver
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 64,016 bytes but its declared streams total only 21,151 bytes — 42,865 bytes (67%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Unsupported Office format for VBA extraction info OFFICE_FORMAT_UNSUPPORTED

olevba could not extract VBA macros (PermissionError); format-agnostic byte-level scans still ran. Likely legacy, encrypted, or malformed OLE/OOXML — re-scanning the same bytes will yield the same outcome.

Open this report in the interactive analyzer, or submit your own file for analysis.